From 34c57b4c4291f7d4fb51df8a0459b37428e344c4 Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Sun, 2 Dec 2018 10:07:21 +0100 Subject: [PATCH] ACME: fix bug introduced in #49266, work around problem with Pebble (#49407) --- lib/ansible/module_utils/acme.py | 20 +++++++++++++++---- .../targets/acme_account/tests/validate.yml | 2 +- 2 files changed, 17 insertions(+), 5 deletions(-) diff --git a/lib/ansible/module_utils/acme.py b/lib/ansible/module_utils/acme.py index 16837550f4..cc7054b86d 100644 --- a/lib/ansible/module_utils/acme.py +++ b/lib/ansible/module_utils/acme.py @@ -568,7 +568,7 @@ class ACMEAccount(object): try: content = resp.read() except AttributeError: - content = info.pop('body') + content = info.pop('body', None) if content or not parse_json_result: if (parse_json_result and info['content-type'].startswith('application/json')) or 400 <= info['status'] < 600: @@ -614,7 +614,7 @@ class ACMEAccount(object): try: content = resp.read() except AttributeError: - content = info.pop('body') + content = info.pop('body', None) # Process result if parse_json_result: @@ -674,14 +674,26 @@ class ACMEAccount(object): url = self.directory['newAccount'] result, info = self.send_signed_request(url, new_reg) - if 'location' in info: - self.set_account_uri(info['location']) if info['status'] in ([200, 201] if self.version == 1 else [201]): # Account did not exist + if 'location' in info: + self.set_account_uri(info['location']) return True elif info['status'] == (409 if self.version == 1 else 200): # Account did exist + if result.get('status') == 'deactivated': + # A probable bug in Pebble (https://github.com/letsencrypt/pebble/issues/179) + # and Boulder: this should not return a valid account object according to + # https://tools.ietf.org/html/draft-ietf-acme-acme-16#section-7.3.6: + # "Once an account is deactivated, the server MUST NOT accept further + # requests authorized by that account's key." + if not allow_creation: + return False + else: + raise ModuleFailException("Account is deactivated") + if 'location' in info: + self.set_account_uri(info['location']) return False elif info['status'] == 400 and result['type'] == 'urn:ietf:params:acme:error:accountDoesNotExist' and not allow_creation: # Account does not exist (and we didn't try to create it) diff --git a/test/integration/targets/acme_account/tests/validate.yml b/test/integration/targets/acme_account/tests/validate.yml index ec0176ef8f..5d4cbcf1f1 100644 --- a/test/integration/targets/acme_account/tests/validate.yml +++ b/test/integration/targets/acme_account/tests/validate.yml @@ -55,7 +55,7 @@ assert: that: - account_deactivate_idempotent is not changed - - account_deactivate_idempotent.account_uri is not none + - account_deactivate_idempotent.account_uri is none - name: Validate that the account is gone (new account key) assert: